When creating an API token, allow fine grained scoped control.
An example use case is, when using LetsEncrypt to generate your certificates, you can perform a DNS challenge to authenticate control of the domain. This adds a TXT record to your domain, confirming you have access to that domain.
You currently need to give your "god-mode" API token to do this using DigitalOcean.
With scoped access, you could create an API token with "dns:modify" and that's all that API token would be allowed to do.
This would reduce the attack surface if the API token gets leaked from your droplet.